Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: What Happens When Bypass has been Enabled on the device?

Carbon Black Cloud: What Happens When Bypass has been Enabled on the device?


  • Carbon Black Cloud Console: All Versions
  • Carbon Black Cloud Sensor: All Versions
  • Microsoft Windows: All Versions
  • Apple MacOS: All Versions


What affect does enabling Sensor Bypass (Endpoints > Select Sensor > Take Action > Enable Bypass) have on Sensor activity?


Protection and Monitor Status

  • Policy Rules are not enforced so the Sensor is not actively protecting the device.
  • The Sensor will not send any new data to the Carbon Black Cloud console while it is in Bypass.

Remote Investigation

  • All device activity prior to Bypass being enabled will still be available on the Investigate Page in the Console.
  • Administrators can continue investigating a device from the PSC Console (Investigate Page, Live Response, Live Query, etc..) .
  • VMware Carbon Black Support will still be able to to pull sensor logs from the device while in quarantined mode
Local Sensor Activity
  • All Sensor services (cbdefense and cbdefenseWSC) will continue to run.
  • The Sensor still locally logs system information, such as CPU and memory use.
  • The Sensor maintains the local databases by removing stale records and removing files that have been deleted. 
  • The Sensor still checks in to confirm configuration, policy rules, and requested sensor actions.
  • Signature updates for local scanner still occur 
  • Repmgr is still running, it checks the reputations of any interesting files accessed.
  • This activity is recorded and stored locally though not uploaded to the Console

Related Content

Was this article helpful? Yes No
50% helpful (1/2)
Article Information
Creation Date: